How to make cybersecurity a priority for boards

While you might think cybersecurity should be a greater priority in your business, it's up to your board to make that a reality. This article outlines how to make cybersecurity a priority for board member to improve the quality of security decisions and ultimately mitigate today's business-crippling cyber risks.

It’s the general trend that cybersecurity concerns are beginning to appear more frequently on the agenda of board meetings. While spending in a range of business areas are shrinking because of uncertain times, worldwide cybersecurity spending is on a steep rise, with conservative estimations predicting a total global spending of $174.7 billion by 2024 according to IDC. 

This is a natural development. Cybercrime is no longer confined to credit card theft or digital vandalism. Business-hampering data breach and ransomware attacks are reaching scales never before seen, and now pose such a great threat to businesses that they are considered the most serious existential threat ot organizations in 2022. Post-breach damage is rapidly evolving to include ruined brand reputation, customer loyalty, partner relations, and of course, huge operational costs and missed business opportunities.

This trend, above all, dictates that boards need to seriously reconsider how cybersecurity risk is managed, not just on a one-off basis, but as a foundational risk of doing business. To achieve business resilience, boards need to adopt a well-founded understanding of cybersecurity risks and a security-centered mindset that views cybersecurity as the starting point of all business activities.

Cybersecurity is more than an IT problem

As a starting point, it is crucial to recognize that security is no longer limited to mere patching and protection of systems. Today, cybersecurity is ingrained in the web of general business operation, making it more than an IT problem. Recent ransomware incidents – such as the Danish 7-Eleven incident in August – demonstrate that cyberattacks can shutdown the entire operations of business in a moment’s notice.

And new threats are surfacing each day. Poorly communicated policies can manifest insider threats and the accidental (or intentional) release of sensitive company data. Being associated with the wrong partner can indirectly make businesses sudden targets of hacktivist groups. The threat list is outgrowing most businesses’ security capabilities and resources. In this security area, the sword is notoriously always sharper than the shield can handle.

While it is the case that boards tend to understand the impact of security on aspects such as brand and customer trust – and potential financial costs being very clear to financial executives – IT security professionals such as CISOs still struggle to communicate just how serious the threat is, and just how quickly the landscape of cybercrime shifts.

 

Put cybersecurity on the board agenda with better communication

“Being able to manage your employees passwords in a systematic way is incredibly valuable when employees suddenly get sick or lose their devices."

Talking about threats and vulnerabilities might be the most appropriate way to discuss cybersecurity matters within tech-savvy circles, but it’s the wrong tactics to get the attention of board members. By merely rephrasing threats and vulnerabilities as risk to be mitigated and improved cyberdefenses as efforts that will provide a return on investment in terms of business resilience, customer trust and productivity gains, you will speak directly to the true concerns of board members, and thus capture their attention.

While threat analysis tools and reports are valuable tools to demonstrate threat levels, they rarely give a true snapshot of just how safe (or unsafe) an organization is. This is the job of the CISO to interpret and communicate in terms that relate to business operation. Sure boards need insights into variables such as cost, reliability and cyber risk, but they also require a clear and overall view of the organizations current threat situation to make educated and data-driven decisions about cybersecurity efforts and initiatives.

Place a cybersecurity champion on the board

In today’s business environment, most enterprises would benefit from having at least one board member with a security background. Or at least something who has (succesfully) dealt with business-cripling cyber incidents in the past. Having direct access to the knowledge of someone who has navigated through the various phases of a data breach incident and know the do’s and dont’s in a post-breach scenario is a huge competitive advantage. Such a person will ensure that security concerns stay top-of-mind at board meetings, and help any non-tech board members more easily understand the implications of a given risk scenario.

Don't place all your eggs in the cyber insurance "basket"

While cyber insurance is a new, and very much welcomed, tool for risk mitigation that provides coverage of liabilities connected to cyber incidents, it’s no magic bullet. Cyber insurance won’t prevent reputational damage, IP theft or the cost of acquiring new tools to prevent attacks.

There are plenty of benefits to cyber insurance. Cyber insurance provides will help cover legal fees, manage post-breach communications with customers, recover data and even help repair damaged systems. Yet, there will be incidents (and have been) where the most financially sound decision is to pay a random demand rather than deal with the costly aftermath of an attack. As previously mentioned, cyber insurance gives companies the confidence to resist ransom demands, but it won’t mitigate potential brand damages.

Manage with more flexibility

The cybersecurity industry is evolving at an unprecedented pace. The way companies manage their security programs needs to evolve in tandem with the changing landscape. In order to improve the way you manage your security programs, you need to be agile and innovative. You need to have a board that understands the risks and challenges of this new environment and can take appropriate and proactive security decisions. 

Defending your organization against cyberthreats will always include balacing costs with risks. Yet, with today’s threat landscape, your organization need to improve the flexibility of your management processes. You simply won’t be able to approriately and effectively deal with cyber incidents if security decisions aren’t made in a more informed and strategic manner. For this, your board needs to be more agile in it’s decision-making.

Suggested articles

Access Management

5 ways to avoid employee resistance to security initiatives

Ransomware, social engineering attacks, phishing campaigns. The cyberthreat is everywhere. While these forms of cybercrime threaten the livelihood of companies worldwide. Something as benign as passwords still represent the biggest cyber risk facing companies in 2022.

Read more »
MicrosoftTeams-image (8)

Poor password hygiene at work?

Read this free ebook to discover how poor password management puts your business at risk – and what to do about it.

Creative 4

Poor password hygiene at work?

Read this free ebook to discover how poor password management puts your business at risk – and what to do about it.